zonemaster icon indicating copy to clipboard operation
zonemaster copied to clipboard
verified publisher icon zonemaster

Wildcard at apex doesn't pass DNSSEC validation.

Open hittis opened this issue 3 years ago • 1 comments

When running zonemaster.net against zone agriwise.org it gives an error in DNSSEC for "random label" in a zone's apex where the label is expanded from a wildcard:

The name "xx--oplk4f3fgh9lksdfhu7h--xx.agriwise.org." of RR type "A" is signed by RRSIG, but the signature or signatures cannot be verified. Fetched from the nameservers with IP addresses "194.71.214.4; 194.71.214.5; 2001:41d0:701:1100::ba9; 2001:67c:240c:214::4; 2001:67c:240c:214::5; 2a02:c207:2023:8616::1; 5.189.136.199; 54.37.72.244".

The validity of the label aside, checking the RRSIG for "xx--oplk4f3fgh9lksdfhu7h--xx.agriwise.org" gives:

#delv xx--oplk4f3fgh9lksdfhu7h--xx.agriwise.org ; unsigned answer xx--oplk4f3fgh9lksdfhu7h--xx.agriwise.org. 3098 IN A 194.9.94.85 xx--oplk4f3fgh9lksdfhu7h--xx.agriwise.org. 3098 IN A 194.9.94.86 xx--oplk4f3fgh9lksdfhu7h--xx.agriwise.org. 3098 IN RRSIG A 8 2 3600 20221102040002 20221003040002 33699 agriwise.org. pg9r3DiIq5e3MHmQFgy9ACR1+ALtKZHJK3Xpvwcti8mVOJfBeXs+N70q 1CRtaRCHUGLbnZ2gnfnBiHObiw3n5A7naS0/gp3AccbfxErTgNXtQ8px z+31QKW3wJMbOye275osRTzoDR0JJHTB/SCpGDYg3/RmOFNiY1ndQYy5 hDG3BX7SH7Y9xVrA2dSAN3aj/ZUzKdhFYN4SfwIyW8Pl2MQ/HNa420EN xmZMu4bayLWMLPAnh8t+0Sy4JGiIJS8j/Bh8xW1xDUJZNK9UtRzTx1B3 Utbxt7brU4hzkf1BzhRbWgxNWklEPSwSn05QRe0M7TWJVSYAqPNaxRRZ xVHqVg==

The RRSIG shows a labelcount of two instead of three which indicates that it is a wildcard RRSIG. so:

#delv *.agriwise.org ; fully validated *.agriwise.org. 3600 IN A 194.9.94.86 *.agriwise.org. 3600 IN A 194.9.94.85 *.agriwise.org. 3600 IN RRSIG A 8 2 3600 20221102040002 20221003040002 33699 agriwise.org. pg9r3DiIq5e3MHmQFgy9ACR1+ALtKZHJK3Xpvwcti8mVOJfBeXs+N70q 1CRtaRCHUGLbnZ2gnfnBiHObiw3n5A7naS0/gp3AccbfxErTgNXtQ8px z+31QKW3wJMbOye275osRTzoDR0JJHTB/SCpGDYg3/RmOFNiY1ndQYy5 hDG3BX7SH7Y9xVrA2dSAN3aj/ZUzKdhFYN4SfwIyW8Pl2MQ/HNa420EN xmZMu4bayLWMLPAnh8t+0Sy4JGiIJS8j/Bh8xW1xDUJZNK9UtRzTx1B3 Utbxt7brU4hzkf1BzhRbWgxNWklEPSwSn05QRe0M7TWJVSYAqPNaxRRZ xVHqVg==

So it should be valid in the test. Or am I missing something critical?

hittis avatar Oct 03 '22 10:10 hittis

Thanks for raising the issue.

This issue is about the DNSSEC10 test case. It has be observed before. Issue #1048 points at a solution for that.

matsduf avatar Oct 03 '22 14:10 matsduf